2016‐08‐30

1

Locking Down the Supply ChainSeptember 14, 2016

Orlando, Florida

ASIS Supply Chain & Transportation Security  Council  ‐ SCSC

Laura HainsVicki NicholsDennis Blass

“Locking Down the Supply Chain”

What’s New!C-TPAT – Import/Exporter Program

Laura Hains, CPP

Operations Manager Supply Chain Security Group- Pinkerton

2016‐08‐30

2

Trade Facilitation and Trade Enforcement Act of 2015 (“Customs Bill”)

• Signed into law February 24, 2016 with objective to ensure a fair and competitive trade environment through:

• Protect Economic Security through Trade Enforcement• Strengthens enforcement capabilities and methods

• Establishes a new administrative procedure of investigating allegation of evasion of Antidumping and Countervailing Duty (AD/CVD)

• Enhances CBP’s efforts to combat the import of counterfeit goods and IPR holders.

• Prohibits all products made by forced labor from being imported.

• Collaborate with the Private Sector through Direct Engagement

• Reinforces collaboration with both Partner Government Agencies & private sector.

• Authorizes the Commercial Customs Operation Advisory Committee (COAC) to advise on CBP’s regulations, policies and practices.

• Formalizes CBP’s industry seminar programs• Codifies the requirement for CBP’s longstanding consultation with PGA’s

Trade Facilitation and Trade Enforcement Act of 2015

• Streamline and Modernize through Business Transformation:

• Extends the funding through 2018 for the Automated Commercial Environment (ACE)

• Supports CBP’s efforts to develop and implement the Centers of Excellence and Expertise Centers

• Recognizes the authority to establish and maintain CBP’s preclearance program for international travelers

• Simplifies and modernizes drawback legislation governing the refund of relevant duties, taxes and fees.

• Raises the de minimis value from $200 per shipment to $800.00 per shipment.

https://www.cbp.gov/sites/default/files/assets/documents/2016-Aug/TFTEA_Overview_FINAL.pdf

2016‐08‐30

3

Basis For Supply Chain Programs

• Programs based in some form on the World Customs Organization (WCO) Framework of Standards to Security and Facilitate Global Trade (SAFE) and Safe has origins in the revised Kyoto Convention.

• 161 of 171 WCO members have signed on to SAFE• SAFE Objectives & Principles

• Establish standards that provide SCS and facilitation at a global level to promote certainty and predictability.

• Enable integrated SC management for all modes of transport.• Enhance the role, functions and capabilities of Customs to

meet the challenges and opportunities of the 21st century.• Strengthen co-operation between Customs administrations to

improve their capability to detect high-risk consignments.• Strength Customs to Business co-operation• Promote the seamless movement of goods through secure

international trade supply chains.

Four Core Elements of Safe Framework

Two Pillars of Safe 

Framework

Harmonizes Advance Electronic Cargo Information

Countries  commit to employing risk management  to address security threats

Reasonable requests to perform outbound inspection of high risk cargo

Defines benefits that Customs will provide to business that meet minimal SCS Standards

Customs‐to‐Customs  Customs‐to‐Business

2016‐08‐30

4

Authorized Economic Operator-AEOSafe Framework defines an AEO as:

“A party involved in the international movement of goods in whatever function that has been approved by or on behalf of a national Customs Administration as complying with WCO or equivalent supply chain security standards.

AEO’s include manufacturers, importers, exporters, brokers carriers, consolidators, intermediaries, ports, warehouses, distributors.”

Customs Trade Partnership Against Terrorism (C-TPAT)

• C-TPAT developed by the US Customs Service as a result of growing concerns by government and business to “safeguard the world’s vibrant trade industry from terrorists, maintaining the economic health of the U.S. and its neighbors.” (CBP.Gov)

• Begun in November 2001 with seven (7) major importers. (Started in the late 90’s as a trade initiative)

• Includes U.S. Importers, U.S./Canada highway carriers; U.S./Mexico highway carriers; rail and sea carriers; licensed U.S. Customs brokers; U.S. Marine Port Authority/Terminal operators; U.S. freight consolidators; ocean transportation intermediaries and non-operating common carriers; Mexican and Canadian manufacturers and Mexican long-haul carriers.

• Today there are more than 11,400 certified members.

2016‐08‐30

5

C-TPAT: Benefits• Reduced number of CBP Examinations:

• Tier 1 = 2 times less likely; Tier 2 = 4 times less likely; Tier 3 = 7 • 6 Times less likely to have exams for security reasons

• Front of the line Inspections.• Possible exemption from Stratified Exams.• Shorter wait times at the border.• Assignment of a Supply Chain Security Specialists (SCSS)to the company.• Access to the Free and Secure trade (FAST ) Lanes at the land borders.• Access to the C-TPAT web-based Portal system and the library of training

materials.• Possibility of enjoying additional benefits by being recognized as a trusted trade

Partner by foreign Customs administrations that have signed Mutual Recognition with the US.

• Eligibility for other US Government pilot programs (FDA)• Business resumption priority following a natural disaster or terrorist attack.• Importer eligibility to participate in the Importer Self-Assessment Program (ISA)• Priority consideration at CBP’s industry-focused Centers of Excellence and

Expertise. (CBP.GOV)

Who Can be a Member?• A company can be certified in C-TPAT if they

are PHYSICALLY located in the United States (US), Canada (CA), or Mexico (MX).

C-TPAT 2016 Current State• Remains a voluntary Supply Chain Security

Initiative.

• Currently 11,000 Members in the C-TPAT Program

• Controlling 60% of all imported Goods

• Total importers in US-810,000

• CBP Wants new Direction, “Secure and Expedited Trade”

• Increase membership to include small & medium companies

• Expansion of Trusted Trader Programs

• Synchronization with other US Government Programs

• Single Window at the Border by this year (2016)

2016‐08‐30

6

Mutual Recognition Arrangements• A signed “arrangement” that indicates that the security requirements or

standards of the foreign industry partnership program Insure that the programs are compatible in theory & practice.

• Sign first one in 2007, today the U.S. has signed 11 arrangements.

• Mutual Recognition is based solely on security; specifically, it is based on the Foreign Customs partnership programs having similar security criteria and verification procedures as the C-TPAT program.

• Members do have to be compliant.

• C-TPAT members engaged in fraud or have had serious penalties against them for customs issues (undervaluation, incorrectly declaring goods, classification issues, etc…) can and have been suspended and/or removed from C-TPAT.

• Because you have a mutual recognition arrangement that does not mean you will not have examinations.

Operational AEO Programs With Mutual Recognition

• Canada – Partners in Protection (PIP) Customs Self-Assessment (CSA), Free and Secure Trade (FAST), Partners in Compliance (PIC), Import/Export-CSA, FAST, Pic-Import (June 2008)

• Dominican Republic, (Dec 2015)

• EU – AEO (27 Countries), Import/Export (May 2012)

• Israel – Import/Export (June 2014)

• Japan – AEO, Import/Export (June 2009)

• Jordan – Golden List Program, Import/Export (June 2008)

• South Korea - AEO, Import/Export (June 2010)

• Mexico - New Scheme of Certified Companies (NEEC), Import/Export (Oct 2014)

• New Zealand – Secure Exports Scheme (SES), Export (June 2007)

• Singapore – Secure Trade Partnership (STP), Import/Export (Dec 2014)

• Taiwan – Import/Export (Nov 2012)***

• USA – Customs-Trade Partnership Against Terrorism (C-TPAT), Import (Nov 2001)/Export-(May 2015)

2016‐08‐30

7

C-TPAT Export Program• Began May 16, 2015

• Exporter: A person or company who, as the principal party in interest in the export transaction, has the power and responsibility for determining and controlling the sending of the items out of the United States.

• Exporter Benefits

• Mutual Recognitions Arrangements

• Marketing

• Reduced Examination Rates and Time

• Priority Processing

• Business Resumption

• Access to Individual-Assigned C-TPAT Supply Chain Security Specialist (SCSS)

• Eligibility to Attend C-TPAT Training and Seminars

• Access to the C-TPAT Portal System

• Common Standard

Organizational Gains Beyond Regulatory Compliance

Ba

• Background Checks• Access Control• Hiring & 

Termination Procedures

• Shipment Documentation

• Information Security

• Business Partner Vetting

• Internal and External Audit Function

• Purchasing• Facility 

management• Administration• Logistics• Trade Compliance• Security• IT

• Ability to join other programs such as  FAST and ISA‐Importer Self Assessment

• Duty payment‐monthly instead of transactional

• Reduced Penalties

• Internal Conspiracy• Workplace violence• Intellectual 

property protection• Country risk 

factors‐crime, Contraband and Human Smuggling

• Improved supply chain 

transparency by mapping end to 

end supply chains.

Internal Controls

Security Awareness

Financial

Threat Analysis

Transparency

Internal Controls

2016‐08‐30

8

“Locking Down the Supply Chain”

SCS Top “10” List – Practitioner TipsVicki Nichols

SCS Top “10” Practitioner Tips

1. Secure Leadership Commitment

2. Address Organizational Issues

3. Know Your Supply Chain

4. Engage Your Supplier

5. Share Tools of the Trade

6. Embed Supply Chain Risk

7. Standardize Risk Management

8. Innovate Risk Mitigations

9. Implement a Strong Audit Program

10.Constantly Evaluate and Evolve

2016‐08‐30

9

# 1 Secure Leadership CommitmentSecure Leadership Commitment

• Develop strategy and actively govern your SCS Program

• Align that strategy to evolving business goals

• Implement and effective and robust SCS Program

Move toward collaborative cross-functional security management

# 2 Address Organizational IssuesIdentify Stakeholders

• Security• International Trade Compliance• Logistics• Procurement• Risk Management• Human Resources

Deploy and empower cross functional teams to:

• Continuously assess and qualify; • Categorize and prioritize and;• Manage risk

2016‐08‐30

10

# 3 Know Your Supply Chain• Thoroughly and continuously vet your supply base

• Know touches your product, materials and freight• Shipment volume• Mode of transportation• Number of suppliers• Countries of export• Carriers and filers

• Evaluate cargo country risk• Cargo disruption• Unmanifested cargo• Anti-western sentiment

• Control who is arranging transportation for your freight• Add SCS Elements to Contract Language• Use Incoterms that provide the most security

# 4 Engage Your Supplier• Develop a SCS communication strategy for

engaging:• Suppliers• Logistic service providers

• Interact frequently with suppliers using multiple channels:

• Supplier conferences • Websites• Printed material• Training

2016‐08‐30

11

# 5 Share Tools of the Trade

• Collaborate with industry to identify leading edge practices such as:

• Supplier score cards• Risk registers• Risk criteria• Self-assessment questionnaires• Example questions to ask suppliers

# 6 Embed Supply Chain Risk• Advocate on policy and procedure updates

• Spread SCS references into existing policies and procedures

• Potential policy and procedures insertion points:• Hiring practices• Acquisitions procedures• Risk and opportunity management• Internal and external auditing

• Integrate SCS requirements into suppliers and logistic service providers contract terms and conditions

2016‐08‐30

12

# 7 Standardize Risk Management

Poor Supplier Financials  or Delivery Performance

Political /Country Instability

Supply Chain  Use for Smuggling

Cargo Tampering

Intrude or Take Control of an Asset

Dangerous Routing

Environmental/Natural  Disasters

IP Theft

Information Tampering

Cyber Attacks 

Terrorism

Legal/Regulatory Non‐ Compliance 

Risk Identification

Track & Trace Technologies

Alternate Suppliers

ID Critical Suppliers

Authorized Distributors

Cargo Mapping

Performance Metrics

Traceability & Controls 

Business Partner Credentialing

Limiting Access

Business Rules

Inventory Monitoring 

Tamper Evident Technologies

Country Risk Ratings

On‐Site Assessments

Targeted Assessment

Supplier Self‐Assessments –Questionnaires

Risk Event Data

Compliance Monitoring

Handling Strategies

Integrated Supply Chain Risk Assessment Process

Risk Assessment

Define Strategy

Risk Handling

Accept Risk?

What?       When

?        W

here?         How?       Who?

Yes

No

Monitor an

d Review

Communication & Consultation

# 8 Innovating Risk MitigationsMitigation Measures

• Strategic use of “track/trace” technologies

• Consistent use anti-tamper tape• Practice “Need to Know” with your

supplier• Incident response planning• Employee & supplier awareness &

training• Critical questions for supplier vetting• Investigate suspicious anomalies• Periodically Change procedures

• How critical is the product?• Is it exploitable?• HOW can it be exploited?• What are the implications of

product compromise? • How much data does the

supplier NEED to fulfill the contract?

• What do I know about my supplier?

• How will the supplier safeguard product information?

2016‐08‐30

13

# 9 Implement a Strong Audit Program

External:• Right to Audit in

Contract Language

• Prioritize on-site supplier audits

• Establish corrective action plans

• Perform follow-up assessments

Internal:• Include cargo security

in corporate risk management program

• Integrate cargo security into internal audit programs

• Create a dedicated group that has expertise in key areas

# 10 Constantly Evaluate and EVOLVE

• Increase end-to-end visibility

• Integrate risk management teams that manage security, resilience and risk

• Engage external partnerships in risk management and resilience.

• Design procedures to ID emerging risks

• Conduct full scenario & contingency exercises

• Prepare response and recovery plans

• Focus on “bounce back”

RESILIENCE used as a COMPETITIVE ADVANTAGE

2016‐08‐30

14

# 10 Constantly Evaluate and EVOLVE

Pre‐Compliant

• Not C‐TPAT Compliant

• No established SCS prevention

• No response standards or practices

Compliant

• Response to regulations or standards imposed from outside

• Security is the cost of doing business

Secure

• Outside standards are seen as insufficient 

• Greater emphasis on security & prevention to support company vision & strategies, protect brand reputation, physical assets, & shareholders

• Security is seen as part of the business model

Resilient

• A comprehensive business strategy that leverages SCS investments to enable an increase in competitiveness

• Disruptions seen as inevitable and adds focus on “bounce back”

• Flexibility and/or redundancy in SC for detection and response, ensuring product movements, business continuity, and service to customers in and post disruption

• RESILIENCE used as COMPETITIVE ADVANTAGE

Constantly Evaluate and EVOLVE cont.

Constantly Evaluate and EVOLVE cont.Key Processand Focus

Pre‐Compliant

Compliant Secure  Resilient

Leadership No  risk focus Program compliance

Prevention security Response for advantage

Internal Integration

None Reactive coordination

Proactive coordination

Integrated teams manage security, resilience, risk

External Partnership

No defined partners

Limited interaction

Partners involved in security only

Partners is risk management and resilience

Visibility Limited to novisibility

Some system visibility

Partner visibility End‐to‐end visibility

Risk Management

No standards Emerging security standards

Partners pre‐screened

Partners help manage risk

Risk Detection None Some reactive procedures

Some proactive procedures

Procedures to ID emerging risks

Training No training Internal training Security training for suppliers

Full screening & contingency exercises

Communication No plans Reactive Proactive Response and recovery plans

Culture No awareness Compliance only Security and compliance

Actions affecting security, resilience

2016‐08‐30

15

Supply Chain Security “Takeaways”

• Supply Integrity: uninterrupted supply helps ensure Customer commitments are continually achieved

• Financial Imperative: companies can improve bottom line performance through SC risk management

• Regulatory Compliance: alternatives are penalties, damage to reputation, and increased oversight

• Competitive Advantage: if you can’t execute, there are others who will gladly take on your business

• National Security: Securing the global supply chain is essential to the country’s defense posture and economic prosperity

Sources (Hyperlinked)In order to access websites, enter Slide Show mode and click on the titles

• Supply Chain Security: A Compilation of Best Practices• Defense Supply Chain Security: Current State and Opportunities

for Improvement• Investing in Supply Chain Security: Collateral Benefits• Promoting Resilience and Efficiency in Preparing for Attacks and

Responding to Emergencies (PREPARE) Act• Supply Chain Sustainability: A Practical Guide for Continuous

Improvement• World Economic Forum on Transport and Supply Chain Security• Supply Chain News: The Top 10 Best Quotes• Stemming the Rising Tide of Supply Chain Risks: How Risk

Managers Roles are Changing Responsibilities

2016‐08‐30

16

“Locking Down the Supply Chain”

Dennis Blass, CPP, PSP, CISSP

Director Safety, Security and

Emergency Preparedness

Children’s of Alabama

Transition

• The Pinkertons and Lockheed Martin have great programs. Laura Hains and Vicki Nichols do great jobs protecting their Supply Chains.

• How did do they you get to where they are with your organization?

• SAFE • C-TPAT Supply Chain Security Training Guide• ASIS Standards and Guidelines and Crisp Reports

• Supply Chain Security: A Compilation of Best Practices• Situational Crime Prevention and Supply Chain Security• Maturity Model

2016‐08‐30

17

Supply Chain Risk Management

Hazard Vulnerability Assessment

Facility / Community

Hazard ChampionThreat Motivation Low=1, Med=2, 

3=High

0=None  1=Rare          2= Occasional   3= Frequent Event  4=Routine Event

0=No Impact    1 = Limited  2 Substantial  3 Major

0=No Impact    1 = Limited   2 Substantial     3 Major

0=No Impact     1 = Limited  2 Substantial     3 Major

Impact Analysis

Hazard Motivation of Threat Likelihood of eventImpact (consequence) on 

Population Impact on PropertyImpact on reputation or regulatory consequences

Likelihood*  population + property + reputational / 

regulatory risks

Naturally Caused

Biological Disease Outbreak (Ebola) Community Vason 0 2 3 0 2 8

Major Earthquake Community Blass 0 0 0 0 0 0

Major Hurricane Community Blass 0 0 0 0 0 0

Loss of Network Services Facility Wood 0 1 1 1 0 2

Severe Winter Weather Facility Blass 0 3 1 0 1 4

Tornado/Wind Shear Facility Blass 0 1 1 1 0 2

Pandemic Outbreak Community Vason 0 2 3 0 0 6

Volcano Community Blass 0 0 2 2 0 0

2016‐08‐30

18

Hazard profile• List hazards (column A)• Classify as a facility or community problem (Column B)• Determine the motivation of the threat (Column D)• Determine Likelihood of event (probability or “P”)

(Column E) Does threat event occur daily, three or four times a week, once a year or once every 10 or 100 years

• Determine the consequences of the event “$”+ Impact on population Column F+ Impact on operations (Property) Column G+ Impact on reputation and regulatory retaliation Column H

• P*$ = Impact Analysis (Likelihood*Consequence)

Mitigation profile• For every hazard determine the controls available (Risk

reduction or mitigation plans in effect) (Column J)• Determine the effectiveness of controls (Column K)

• Have they been tested in exercises or actual events?• Are controls and assessments current• Law of the parasite –threats evolve• Have single points of failure been identified

• Subtract from Impact analysis• Determine risk management options

• Assume• Monitor• Develop Management Plan

2016‐08‐30

19

It looks like this

• An HVA looks is like looking at the forest.

• Bow-tie diagrams focus on trees• Events are in the middle• Efforts to reduce probability (P) are on the right of the

event• Efforts to reduce consequences ($) are on the left

• Risk Funnel

• Heat Maps

2016‐08‐30

20

•

2016‐08‐30

21

There are other views

Exercising and testing – the pathway to GREATNESS

2016‐08‐30

22

Where does this stuff come from?

Where does this stuff come from?

2016‐08‐30

23

There are more good things in the Supply Chain Risk Management compilation of Best Practices

• Annex A, A discussion on Information and Communication Technologies (ICT) Security

• Annex B, Examples of Organizational Resilience Procedures

• Prevention and Mitigation Planning Guide• Response Treatment Planning Guide• Continuity Treatment Planning Guide

• Annex C, Examples of Risk by Category and Type

What else is there?

• Annex D, Examples of Generic for Supply Chain Security Agreements

• Annex E, Examples of Supply Chain Security Self Awareness Questionnaires for Suppliers or Other Supply Chain Partners

• Annex F, Examples of Elements of Supply Chain Security Contract Language for External and Third Party Logistics Service Providers

• Annex G, Example of Crisis Management Program Element Review

• Annex H, Examples of Site Crisis Plan

2016‐08‐30

24

What difference does it make?

Get the book “Supply Chain Risk Management-A Compilation of Best Practices” (free to ASIS members).

Reading it may not make you an expert in supply Chain Risk Management in a day, but studying it (the whole thing plus the annexes) will put you ahead of 68.27% of the people in our field.

Mastering it (using it over and over and over) it will put you 95.45% ahead of your peers and with the likes of Vicki Nichols and Laura Hains.

“Questions?”

THANK YOU!